Categories

Waning: New Family Member for KrakenCryptor Ransomware

02/11/2018 17:38:46

Sample IntroductionIn a recent global scan and analyzation of potential new and dangerous threats, Sangfor security team discovered a new variant in the KrakenCryptor ransomware family. Dubbed KrakenCryptor 2.0.7 and first discovered around October 22nd, a number of Sangfor customers ran an analysis using our new Neural-X security software and discovered that this latest KrakenCryptor ransomware variant employs an RSA and AES algorithm to encrypt files, followed by the addition of a random extension.

In-Depth Analysis1.The sample is coded with .NET framework and obfuscated, as shown in the figure below:

Figure 1

Figure 2: Sample Obfuscation

2. Sangfor de-obfuscated the sample and found it to be similar to typical ransomware, setting a time limit for victims to pay a predetermined ransom amount and demanding further payments if the ransom is not received within one week. Shown below is a countdown timer that is not visible on the graphical interface, showing the predetermined schedule of cost increases every calendar week.

7. Create a Wordload key in the encryption log registry. If the Wordload value is 1, the encryption will be canceled.

Figure 12

Figure 13

8. The countries listed above are exempt from attack, but all others are in danger of encryption. The virus sends its own IP address to https://2no.co/2SVJa5 (shortened URL) or https://www.bleepingcomputer.com/ (complete URL). Bleepingcomputer.com is a site providing security technology and information.

Figure 14: Visit Bleepingcomputer.com Site

9. A 256-bit AES encryption algorithm with CBC code mode is used to encrypt files.

Figure 15

10. Original files are overwritten and renamed.

Figure 16: Encryption and Overwrite of Files

Figure 17: Encrypted Files are Renamed

11.The ransomware deletes itself after encryption.

Figure 18

12. Desktop wallpaper is changed and ransom message is displayed.

Figure 19

SolutionCurrently there is no decryption tool available for victims. You should quarantine infected hosts and disconnect them from network.

Sangfor recommends you perform a virus scan and set protections as soon as possible.

Detection and Removal1. Sangfor offers customers and users free anti-malware software to scan for and remove the ransomware virus. Simply download it from http://go.sangfor.com/anti-bot-tool-20181024 2. Sangfor NGA is capable of detecting this ransomware virus.

Protection1. Fix the vulnerability before infection by installing the corresponding patch on the host.2. Back up critical data files regularly to other hosts or storage devices.3. Do not click on any email attachment from unknown sources and not download any software from untrusted websites. 4. Disable unnecessary file sharing permissions.

For Sangfor NGAF users, upgrade your device to version 8.0.5 and enable AI-based Sangfor Engine Zero to protect the network from attacks.